 | Hosting your application using a secure transport chain
WebSphere ESB uses WebSphere Application Server V6.1 as the platform.
The WebSphere Application Server V6.1 Administration Console creates
and updates key stores and trust stores. It can add, create, and
extract certificates to and from key stores and trust stores. We will
use the Administration Console to create key stores and trust stores
in WebSphere ESB. The following sections will demonstrate how you can
create the key store and trust store and then create a new secure Web
container transport chain for your application in WebSphere ESB using
the SSL configuration.
Creating a key store in
WebSphere ESB
To create a new SSL configuration, you need to begin with creating a
key store and a trust store that the new SSL configuration will use. A
key store contains multiple client and server certificates. In the
sections below, you will learn how to create the key store file and
then create a self-signed server certificate and a self-signed
client certificate. Server certificate is the certificate
that WebSphere ESB will return during an SSL handshake when WebSphere
Commerce connects to WebSphere ESB. Client certificate is the
certificate that WebSphere ESB will send when it acts as a client like
WebSphere Commerce and tries to connect to another server.
Creating the key store file in
WebSphere ESB
- Login to the Administration Console in WebSphere ESB.
- Navigate to SSL certificate and key management > Key stores and certificates
under the Security section.
- Click New and enter the details as shown in Figure 1.
Figure 1. Creating a new key store file
- Enter the name for the key store, for example,
MyKeyStore.
- Enter the key store file path. Always use WebSphere variables,
for example,
${CONFIG_ROOT}/cells/esbCell/nodes/esbNode/MyKeys.p12.
- Enter a password of your choice and confirm the password.
- Select the type as
PKCS12,
which is the default and is also recommended.
- Click OK and save the changes to the master
configuration.
Creating a self-signed server
certificate in WebSphere ESB
When a client attempts to do a SSL handshake, WebSphere ESB will return
the server certificate to the client, confirming its identity.
- Navigate to SSL certificate and key management > Key
stores and certificates under the Security
section.
- Click the key store which you have created by following the
steps above.
- Click Personal Certificates.
- Click Create a self-signed certificate and enter the
details as shown in Figure 2.
Figure 2. Creating a self-signed certificate
- Enter an alias for the certificate, for example,
myservercert.
- Enter the common name. We recommend entering the host name of the
machine where the certificate resides, for example,
myhostname.mycompany.com.
- Click OK and save the changes to the master
configuration.
Creating a self-signed client
certificate in WebSphere ESB
When WebSphere ESB acts as a client to another server and attempts to
do a SSL handshake, WebSphere ESB will send the client certificate to
the server confirming its identity. However, in this tutorial, this
scenario doesn't come into play. You need to create the client
certificate because a default client and server certificate need to be
specified when you create an SSL configuration in WebSphere ESB.
- Navigate to SSL certificate and key management > Key
stores and certificates under the Security
section.
- Click the key store which you have created by following the
steps above.
- Click Personal Certificates.
- Click Create a self-signed certificate and enter the
details as shown in Figure 2 above.
- Enter an alias for the certificate, for example,
myclientcert.
- Click OK and save the changes to the master
configuration.
Creating a trust store in
Enterprise Service Bus
A trust store contains the client certificates that the server trusts.
The client certificates are added as signer certificates to the trust
store. In the section below, you will learn how to create the trust
store file in WebSphere ESB. However, for the SSL handshake to
complete successfully, you will have to add the client certificate of
WebSphere Commerce into the trust store of WebSphere ESB. Details will
be discussed in later sections.
Creating the trust store file
in WebSphere ESB
- Login to the Administration Console in WebSphere ESB.
- Navigate to SSL certificate and key management > Key stores
and certificates under the Security section.
- Click New and enter the details as shown in Figure 3.
Figure 3. Creating a new trust store file
- Enter the name for the key store, for example,
MyTrustStore.
- Enter the key store file path. Always use WebSphere variables,
for example,
${CONFIG_ROOT}/cells/esbCell/nodes/esbNode/MyTrust.p12.
- Enter a password of your choice and confirm the password.
- Select type as PKCS12, which is
the default and is also recommended.
- Click OK and save the changes to the master
configuration.
Creating an SSL configuration
in Enterprise Service Bus
The transport chain binds the specified SSL configuration to the port.
It finds out the server and client certificate that are to be used for
the port by reading the specified SSL configuration.
- Login to the Administration Console in WebSphere ESB.
- Navigate to SSL certificate and key management > SSL configurations
under the Security section.
- Click New and enter the details as shown in Figure 4.
Figure 4. Creating an SSL configuration
- Enter the name for the SSL configuration, for example,
MySSLConfiguration.
- Select the trust store name, which you created above.
- Select the key store name, which you created above.
- Click Get certificate aliases.
- Select the alias of the server certificate, which you
created above as the default server certificate alias.
- Select the alias of the client certificate, which you
created above as the default client certificate alias.
- Click OK and save the changes to the master
configuration.
Enforcing client authentication
in WebSphere ESB
Enforce client authentication during SSL handshake so that only trusted
clients are allowed to connect to the server. This will mandate any
client connecting to the WebSphere ESB through the secure transport
chain to send a client certificate.
- Navigate to SSL certificate and key management > Key
stores and certificates under the Security
section.
- Click the SSL configuration, which you created above.
- Click Quality of protection (QoP) settings.
- Select Required in Client
Authentication as shown in Figure 5.
- Click OK and save the changes to the master
configuration.
Figure 5. Enforcing client authentication
For initial verification purposes and to check whether WebSphere ESB is
sending the server certificate or not, you may choose the
None or
Supported option. This lets you invoke the
Web service end-point from a browser and view the server certificate
that WebSphere ESB will return. However, ensure that you set it back
to Required after the verification.
Creating a secure inbound Web
container transport chain in WebSphere ESB
In the section below, you will learn how to create a new secure
transport chain in the Web container. When you create a transport
chain, you also need to specify the port. The port gets created when
you create a transport chain. You will also learn how to specify the
SSL configuration, which you have created above in the new transport
chain.
- Login to the Administration Console in WebSphere ESB.
- Navigate to Application servers > server1 > Web
container transport chains under the Servers
section as shown in Figure 6.
Figure 6. Navigating to Web container transport chains
- Click New.
- Enter the transport chain details as shown in Figure 7.
Figure 7. Selecting the transport chain template
- Enter a name for the transport chain, for example,
MySecureTransportChain.
- Select
WebContainer-Secure(templates/chains|webcontainer-chains.xml#Chain_2)
as the transport chain template.
- Click Next.
- Enter the port details as shown in Figure 8.
Figure 8. Entering the port details
- Enter a name for the port, for example,
MySecurePort.
- Enter a port number, for example,
8002.
- Review the summary and click Finish and save the changes
to the master configuration.
For verification purposes, you can also create another transport chain
without SSL. To create one, select
WebContainer(templates/chains|webcontainer-chains.xml#Chain_1)
as the transport chain template and select a different port, for
example, 8001.
Specifying the SSL
configuration in WebSphere ESB
When you create a new secure transport chain, the default SSL
configuration, DefaultSSLSettings, is
selected as the SSL configuration of the transport chain. In this
section, you will learn how to specify the SSL configuration, which
you have created above as the SSL configuration of the new transport
chain.
- Navigate to Application servers > server1 > Web
container transport chains under the Servers
section as shown in Figure 6 above.
- Click the secure transport chain which you have created
above.
- Click SSL inbound channel (SSL_4).
- Select the SSL configuration, which you have created as shown in
Figure 9.
- Click OK and save the changes to the master
configuration.
Figure 9. Specifying the SSL configuration
Creating a virtual host in
WebSphere ESB
So far you have created a new transport chain specifying a new SSL
configuration. Now you need to associate your application in WebSphere
ESB to the new transport chain. To do so, you need to create a new
virtual host and then create host aliases for the transport chain
ports, which you have created during the creation of the transport
chain. Your application then needs to be mapped to this new virtual
host. In this section, you will learn how to create a new virtual host
and then map an application to the new virtual host.
- Login to the Administration Console in WebSphere ESB.
- Navigate to Virtual Hosts under the Environment
section.
- Click New.
- Enter a name for the virtual host, for example,
MyVirtualHost.
- Click OK and save the changes to the master
configuration.
Creating host aliases in
WebSphere ESB
In this section, you will learn how to create host aliases for the
transport chain port.
- Navigate to Virtual Hosts under the Environment
section.
- Click the virtual host that which you have created above.
- Click Host Aliases.
- Click New.
- Enter the details as shown in Figure 10.
- Enter the port which you specified while creating the transport
chain.
- Click OK and save the changes to the master
configuration.
Figure 10. Creating a host alias
For verification purposes, if you had created a transport chain without
SSL above, then create another host alias for that transport chain
port without SSL, for example, 8001 as
mentioned above.
Mapping your application to the
virtual host in WebSphere ESB
In the previous section, you have created the virtual host. In this
section, you will learn how to map your application to this new
virtual host.
- Navigate to Enterprise Applications under the
Applications section.
- Click your application, suppose
WC-ServicesSimulatorApp is the name of
your application, as it is shown in Figure
11.
- Click Virtual hosts.
- Choose the Web modules in your application, which you want to map
to the new virtual host.
- Select the virtual host, which you have created as shown in
Figure 11.
- Click OK and save the changes to the master
configuration.
Figure 11. Mapping web modules to virtual hosts
Now your application is mapped to a virtual host, which uses the custom
SSL settings that you have configured.
| |
